Subscribe to RSS News Feed
About Spamhaus  |  Press Office  |  FAQs   
Spamhaus Botnet Threat Update: Q1-2019

2019-04-25 17:00:00 UTC   |   by Spamhaus Malware Labs   |   Category:  malware, cybercrime, botnets
Recent News Articles

Spamhaus Blocklist (SBL) listings are moving

The conundrum that is the modern use of NAT at a carrier grade level

QNAME Minimization and Spamhaus DNSBLs

The beta nature of the Threat Intel Community Portal

Want to submit data? Be our guest!

The return of the ASN-DROP

Qakbot - the takedown and the remediation

Poor sending practices trigger a tidal wave of informational listings

Older News Articles:
Spamhaus News INDEX

Welcome to the first quarterly update of 2019

In the first three months of this year, Spamhaus Malware Labs have observed significant changes in the malware that’s associated with botnet Command & Control (C&C) servers, most notably a preference for cybercriminals to utilize crimeware kits.

Meanwhile ‘.com’ & ‘.UK’ are leading the way when it comes to the top-level domains (TLDs) that are associated with botnet C&Cs. However, there’s no change when it comes to most abused hosting provider: Cloudflare.


This quarter we’re putting the spotlight on a single bulletproof hosting outfit.

Since January, we have seen an upswing in the number of fraudulent domain name registrations in the ccTLD spaces ‘.UG’ (Uganda) and ‘.NG’ (Nigeria).

While both ccTLDs have had an increase in the number of fraudulent domain name registrations, ‘.UG’ has gone through the roof. In February 2019, 35% of all domain names within ‘.UG’ that Spamhaus Malware Labs observed were registered for the sole purpose of hosting a botnet controller (C&C).

Who is responsible for this massive increase of fraudulent domain name registrations in the African domain namespace? During our investigation, we discovered that a single bulletproof hosting outfit is connected to these domain registrations which is selling its services on underground sites and the dark web.

The setup is simple: They register a ‘.UG’ domain name for their customer with the operator ‘’ and use a Chinese based DNS provider ‘DNSPod’ (Tencent). From a cybercriminal’s perspective, this has a big advantage: Both and DNSPod are exceptionally slow to investigate abuse reports, that’s if they are investigated at all. This makes a cybercriminal’s botnet C&C infrastructure almost 100% bulletproof to takedown requests.

Spamhaus is trying to work together with both and DNSPod to resolve this issue. While communication between these operators can be challenging these efforts are starting to pay off, with the percentage of fraudulent domain registrations within ccTLD ‘.UG’ reducing from 35% to 29%.

Looking for the path of least resistance

Once Spamhaus identifies a botnet C&C, in addition to listing the entity across our range of services, we typically send takedown requests to the relevant domain registry, registrar and network owner.

Needless to say, this has a substantial negative impact on a cybercriminal’s operations. Therefore, it is no surprise that spammers, phishers and botnet operators alike, are constantly looking for new ways to increase the uptime of their botnet C&C infrastructure to ensure that their operation is running smoothly.

Number of botnet C&Cs observed in 2019

Botnet listings Q1-2019

When we look at the number of newly detected botnet Command & Controllers (C&C), as a result of fraudulent sign-ups, it is evident that the upward trend detected in 2018 is continuing into 2019.

In 2018 the number of botnet C&Cs identified from fraudulent sign-ups lifted 176% from 276 per month in January to 762 per month in December. The monthly average across 2018 was 530 botnet controller listings (BCL) per month.

In this quarter we have observed another significant step-up in numbers across the first three months of this year. The number of newly detected botnet C&Cs reached 1,281 in March 2019, an additional 519 botnet C&Cs compared to December 2018’s figures. Meanwhile, the monthly average in 2019 has increased by 110% to 1,113 per month.

What is a ‘fraudulent sign-up’?

This is where a miscreant is using a fake, or stolen identity, to sign-up for a service, usually a VPS or a dedicated server, for the sole purpose of using it for hosting a botnet C&C.

Geolocation of botnet C&Cs in Q1 2019

Geolocation botnets Q1-2019

Geolocation tables

There has been no change in the location of botnet C&C traffic. The number one geolocation for botnet C&Cs remains the United States, followed by Russia and the Netherlands:

Malware associated with botnet C&Cs, Q1 2019

Malware ranking Q1-2019

Malware ranking table

We have identified substantial changes in the malware that is associated with botnet C&Cs across the first quarter of 2019. Most pertinent is the increase in the popularity of crimeware kits, which enable individuals with no previous coding experience to create, customize and distribute malware.

AZORult: Throughout 2018 a total of 915 botnet C&Cs associated with AZORult were identified and blocked by our researchers. This averages out at 76 botnet C&C per month. In the first three months of this year, 1,155 botnet C&Cs have been identified. This takes 2019’s monthly average to 385 botnet C&Cs, which is a whopping 407% increase.

Crimeware kits: Lokibot (#1) and AZORult (#2) botnet C&Cs account for 64% of all botnet traffic in Q1. There is a growth in popularity of crimeware kits, indicating that cybercrime is becoming increasingly ‘commoditized’. This commoditization wouldn’t occur without the right kind of demand and platform. Does this point to the cybercrime market growing in sophistication, driven by the increasing opportunities the dark web presents?

JBifrost: Numbers associated with this Remote Access Tool (RAT) in 2018 proliferated, seeing it take the #2 spot, however in Q1 2019 it has moved down 4 places to #6.


AZORult is a credential stealer ‘crimeware kit’ sold on underground hacker sites. It not only attempts to harvest and exfiltrate credentials from various applications such as web browsers but additionally tries to steal address books from email clients.


JBifrost, also known as Adwind, is a Remote Access Tool (RAT) based on Java. Java is a cross-platform environment which allows JBifrost to not only run on computers running the Windows operating system but also macOS and Android.

Most abused top-level domains, Q1 2019
Top abused TLDs Q1-2019

Top abused TLDs table

In addition to the issues that featured in our ‘Spotlight’, there has been lots of change for the top-level domains (TLDs) that are being used to host botnet C&Cs. Perhaps most interesting is that the top 2 entries are for well-known TLDs: ‘.com’ & ‘.uk’, particularly ‘.uk’ which has also seen a significant amount of shoeshow spamming activity in the past few months, as featured here.

How cybercriminals protect against takedowns

To make botnet C&Cs more resilient against takedowns cybercriminals usually register a dedicated domain name for hosting the botnet C&C.

When the hosting provider takes down the botnet C&C, the botnet operator can easily change the DNS A record to a different server.

Most abused domain registrars, Q1 2019

Most abused domains Q1-2019

Most abused domains table

Namecheap has been knocked off its top spot by, which has moved up the ranks to #1 from #10 this quarter. Namecheap accounted for 65% of all domain registrations for botnet C&Cs in 2018 and now only accounts for 15%. We hope this is due to instigating a more vigorous vetting process, and not just a result of Namecheap not running any promotions in the past quarter. have 22% of the total domains used for botnet C&Cs registered through them in Q1 2019, compared to 0.55% across 2018.

Poor processes leave operators open to abuse

To register a domain name, a botnet operator must choose a domain registrar. Domain registrars play a crucial role in fighting abuse in the domain landscape: They not only vet the domain registrant (customer) but also have the ability to suspend or delete domain names.

Unfortunately, many domain registrars do not have a robust customer vetting process, leaving their service open to abuse.

ISPs hosting botnet C&Cs, Q1 2019

ISPs hosting botnets Q1-2019

ISPs hosting botnets table

What hasn’t changed in Q1 2019 compared to 2018 is the preferred place that miscreants choose to host their botnet C&Cs: The US-based CDN provider Cloudflare. Cloudflare is followed some way behind by three Russian based hosting providers called Stajazk, Timeweb and


While Cloudflare does not directly host any content, it provides services to botnet operators, masking the actual location of the botnet controller and protecting it from DDoS attacks.

We look forward to seeing you in July when we’ll be providing you with Quarter 2’s update.

Spamhaus Information

Press Office
Spamhaus News Index
Spamhaus in the media
About Spamhaus
Spamhaus Official Statements
Article Information

Permanent link to this news article:
Spamhaus Botnet Threat Update: Q1-2019

Subscribe to RSS News Feed
Spamhaus News Quotes

Permission to quote from or reproduce Spamhaus News articles is granted automatically providing you state the source as Spamhaus and link to the news record.
© 1998-2024 The Spamhaus Project SLU. All rights reserved.
Legal  |  Privacy